General Data Protection Regulation
On the 25 May 2018, the European Union General Data Protection Regulation 2016/679 (“GDPR”) will come into effect. It has been widely recognised as the biggest change to data protection legislation to be introduced by the European Union in the last 20 years. It will replace the European Data Protection Directive 95/46/EC and will automatically become law at an EU level, applying uniformly across all EU member states. The rights of European data subjects have also been strengthened and the extra territorial scope has been extended to apply to any organisation that processes personal data a European residents regardless of where the organisation is based in the world.
Trayport is committed to ensuring GDPR compliance across our software and services by establishing robust and effective technical and organisational measures throughout the company.
The purpose of this statement is to outline:
- Trayport’s data processing activities in respect to the provision of our software and services to our client’s’;
- Our commitment to data protection; and
- What we are doing to ensure compliance with additional data protection obligations under the GDPR.
NATURE AND SCOPE OF TRAYPORT’S DATA PROCESSING ACTIVITIES
Under your contract with Trayport, you undertake to subscribe to the software and services provided by Trayport. In order to access the software and services, each user of the software and service must sign up for an account. During this process Trayport generally acquire contact details of authorised users such as first name, surname, username, and work email address. Once the account has been set up for an authorised user we can track login and logout date and times and we can see the IP address of the organisation for whom the user works and the workstation number from which the user is logging in. We also obtain general work contact details for people within your organisation that we can contact for the processing of the contract such as an IT contact and billing contact.
Trayport processes personal data to carry out our obligations arising from any client contracts entered into between you and us. Any personal information processed by Trayport may be used;
- For the effective administration of our software and services;
- To communicate with you;
- For record keeping purposes;
- To track usage;
- For billing purposes;
- To improve the software and services we provide;
- To undertake internal research and development for existing and future products and
- To provide you with the information, products and services that you request from us or to provide you with information about other goods or services we offer that are similar to those that you have already purchased or enquired about or that we feel may interest you.
Therefore Trayport will only process your personal data to the extent it is necessary to provide our software and services to you and in a manner consistent with our contract with you. No special categories of data are processed by Trayport in the provision of our software and services to you.
TRAYPORT’S COMMITMENT TO DATA PROTECTION
Information security and data protection is not a new concept to Trayport. Over the years Trayport has always respected our clients’ right to data protection and privacy. This can be demonstrated in what we already have in place to ensure the adequate protection of our clients’ personal data, some of which we have expanded on below.
Accreditations and Security of the Services
Trayport is committed to achieving and maintaining organisational and technological industry standards. We assess and actively monitor both our physical site security and our IT infrastructure, and operate a continuous improvement model to ensure that our controls are, and continue to be, appropriate to ensure client data is safe and secure. Our Information Security Management System (ISMS) is certified with the International Organisation for Standardisation (ISO) 27001
Information Security Standard. Active independent audits are continually undertaken to ensure Trayport’s maintenance and compliance with ISO 27001 and our certification under it.
Trayport operate privacy and security by design, addressing information security and data protection during all phases of the software and services development lifecycle and beyond. Our software and services are developed according to secure engineering principles including but not limited to layered security, data isolation, encryption, continual security testing, and access control.
Trayport is committed to preserving the confidentiality, integrity and availability of all the physical and electronic assets of Trayport’s software and services, by observing our legal, regulatory, and contractual compliance. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 of the GDPR will all taken into account when establishing appropriate technical and organisational methods.
Data location and transfers outside EEA
Client personal data is stored in data centres located within the EEA. Trayport have affiliates based in Singapore and the United States and in accordance with our client contracts, client details may be accessed or transmitted to these affiliates for the purposes of providing the software and service. Trayport has entered into standard European Model Clauses with each of its affiliates and they in turn have entered into these European Model Clauses with each other.
The European Model Clause is a mechanism provided for under the GDPR that ensures appropriate measures are in place to facilitate transfers of personal data outside of the EU. By operating in accordance with these contract clauses, we thereby ensure that any personal data accessed or transferred amongst Trayport and its affiliates is adequately protected.
Under our client contracts, Trayport state that we shall comply with all applicable laws and all necessary regulations with respect to its activities under the contract and further stipulate that we shall comply with all relevant obligations in accordance with any relevant data protection laws. Trayport is based within the European Union and provide services to data subjects within the European Union. As such, in accordance with our client contracts, the GDPR is relevant data
protection law to which we are subject to and which we must comply in the provision of software and services to our clients.
Trayport only entrusts employees with the processing of client data, in line with the purposes stipulated above, who have been bound to confidentiality meaning that, during or after employment with Trayport, they shall not they disclose to anyone outside the business any confidential client information.
PREPARATIONS FOR THE GDPR
Many of the GDPR’s main concepts and principles are much the same as those in the current Data Protection Act 1998 and Data Protection Directive 95/46/EC. Trayport has always taken its obligations toward data protection seriously and as such have robust technical and organisational measures in place. However, there are new elements and significant enhancements with the introduction to GDPR. The new Regulation enhances individual’s data protection rights and introduces a greater obligation for businesses to be transparent in how they use personal data.
Trayport has therefore taken this as an opportunity to conduct a thorough assessment of our business in order to identify and address any compliance gaps introduced by the increased obligations under of the GDPR and we have put in place a dedicated GDPR team to drive initiatives and ensure compliance with the GDPR by 25th May 2018.
Here are some of the ongoing steps we endeavour to have in effect by 25th May 2018:
- Awareness: Trayport have been actively ensuring that all decision makers and key people throughout the organisation are aware that the law surrounding data protection is changing and the impact that this will ultimately have on Trayport and our operations.
Trayport’s dedicated GDPR team, along with GDPR representatives from each department across the business, have received extensive and specialised privacy and
security training with particular emphasis on GDPR. In accordance with Article 39 of the GDPR, we will also be conducting internal training for all new employees during onboarding and commit to conducting training sessions for all our employees at least annually. Trayport will also commit to continue conducting Privacy Impact Assessments early in the product lifecycle to ensure appropriate technical and organisational methods are incorporated hence establishing the principle of Privacy by Design into our development lifecycle, which is an express legal requirement under the GDPR.
- Accountability and Risk Assessment: Trayport have always taken information security and data protection seriously and as such already have many organisational and technical measures in place to ensure the adequate protection of personal data within our organisation. Nevertheless, we took this opportunity to conduct an in depth audit of all of our filing systems in order to establish and document where personal data is being stored and how it is being used throughout the organisation. Any physical or electronicsystems containing personal data has then been risk assessed in order to ascertain if the appropriate technical and organisational controls are in place and implementing the appropriate risk treatment if necessary. In the provision of our software and services, Trayport stores very little personal data of our clients, none of which is sensitive. We limit access to client personal data to only those as is necessary to provide the software and services to clients and fulfil our obligations under our client contracts. All data is stored within the EEA in either Trayport’s internal business systems and/or within our data centres based in the UK and any personal data accessed or transmitted to our affiliates in the US or Singapore is protected through compliance with the standard European Model Clauses.
- Updating Privacy Policies and Procedures: We are in the process of reviewing our Privacy Policies to align with GDPR and our internal privacy and security policies and procedures in order to identify potential gaps and align them with the GDPR some of which will be published as applicable by 25th May 2018.
- Data Subject Rights: By in large the rights individuals enjoy under the GDPR are substantially the same as those provided for under the European Directive 95/46/EC but there are some significant enhancements. Trayport will be using this opportunity to check our current procedures and accommodate any additional changes required by the GDPR.
What is General Data Protection Regulations (“GDPR”)?
It’s a new European Union Regulation (Regulation (EU) 2016/679 that increases the rights of individuals on the processing and privacy of their personal data. It replaces the EU Data Protection Directive (95/46/EC) from 1995 and UK Data Protection Act 1998.
What rights do you have under GDPR?
In summary rights of the data subject include the following:
- The right to be informed
- The right of access
Individuals are entitled to know what personal data is held by organisations about them and how it is processed.
- The right to rectification
Individuals are entitled to have their personal data corrected if it is inaccurate
- The right to removal
Individual have the right to ask for the removal of their personal data where there is no legitimate reason for its continued processing.
- The right to data portability
Individual right to transfer or copy their personal data from one IT environment to another safely.
For more information on data subject rights see Article 12 – 23 of the GDPR.
When is this all happening?
GDPR will be fully enforceable from the 25 May 2018.
Who does GDPR apply to?
Any organisation big or small that processes personal data of EU residents.
Where does this apply? Is it only for organisations within the EU?
Organisations outside the EU that process personal data of EU residents will be subject to GDPR.
Where is my personal data stored?
All data is stored within the EEA in either Trayport’s internal business systems and/or within our data centres based in the UK and any personal data accessed or transmitted to our affiliates in the US or Singapore is protected through compliance with the standard European Model Clauses.
Is my data transferred outside of the EU?
We have affiliates in New York and Singapore and data can be accessed by and transferred to these affiliates. We have the EU Model Clauses in place with our entities outside of the European Union to ensure personal data is transferred in compliance with EU data protections laws.
What happens if an organisation breaches GDPR?
The GDPR has introduced increased administrative fines for non-compliance and are imposed by the UK’s Information Commissioner’s Office (ICO).
There are two tiers of possible administrative fines:
1) Up to €10 million, or 2% annual global turnover – whichever is higher.
2) Up to €20 million, or 4% annual global turnover – whichever is higher.
The value of the fine imposed by authorities depends on the data breach and will be assessed on a case by case basis and must be effective, proportionate and dissuasive.
Not all infringements of the GDPR will result in a fine as the application of fines are discretionary rather than mandatory.
What role do ISO 27001 accreditations play in compliance with GDPR?
Information Security Management (ISO 27001) is one the of the most internationally accepted, widely recognised, independent security standards. Trayport has gained ISO 27001 certification for the systems, applications, technology, data centres, processes and people, all of which are involved in the provision of software and service to our clients.
Will Trayport enter into my Security Policy/Questionnaire?
Trayport does not agree to individual client security polices because this is simply not practical. Trayport have a standard security and data privacy methodology that protects all of our client’s. Trayport’s pricing model and ability to provide a consistently high level of service relies on the standardisation of our operations, including security and data privacy.
GDPR JARGON BUSTER
Data controller: A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be processed.
Data processor: In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
Data subject: A natural person residing in the EU who is the subject of the data.
Personal data: Any information relating to an Data Subject; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special Categories of Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
This does not constitute legal advice and is for general information purposes only. Whilst we endeavour to ensure that the information is correct, no warranty is given as to its accuracy and we do not accept any liability for error or omission. For more information you can visit:
The European Commission website here https://ec.europa.eu/info/law/law-topic/dataprotection_en; and The ICO website here https://ico.org.uk/for-organisations/guide-to-the-general-data-protectionregulation-gdpr.